1. Field of the Invention
The present invention relates generally to computer network security and, more particularly, to methods of and systems for identifying a computing device by data stored thereon.
2. Description of the Related Art
From the perspective of a server engaged in Internet transactions, it is advantageous to be able to recognize a client computing device that the server has interacted with previously. The importance of this information can be seen in common Internet transactions today. For example, users can log in to a given site and, through information gleaned from a quick retrieval of cookies stored on the user's device, the site's server can tailor its interaction to the user's known expectations and preferences. Similarly, a user's experience with a virtual shopping cart during on-line shopping may be enhanced if the server hosting the shopping cart can recognize whether multiple HTTP requests from multiple-link clicks originate from the same device.
Technically speaking, HTTP (hypertext transport protocol)—the protocol by which web browsers and web servers primarily interact—is stateless. That means that any HTTP request and any HTTP response thereto are fully self-defining and not contingent on (or influenced by) HTTP requests or responses previously exchanged. In other words, the exchange of an HTTP request and an associated HTTP response do not change any “state” in the communication between the client device and the server.
To implement features that require a state, such as a virtual shopping cart, the client device and the server are required to cooperate to effect an ongoing or dynamic state in their interaction. The way in which this is accomplished most often is through the use of cookies, which are omnipresent in online transactions today.
In the context of computer communications, a cookie is a unique item of data that stores state information. Each time the browser of a client computer transacts with a web site, the web site server may transmit a cookie to the browser that provides unique identifying data for storage on the client device. On a subsequent visit to the same web site, the site can request that the client device report the unique, identifying data recorded on the cookie and thereby recover a state of interaction between the client and server from a previous transaction. For example, if a server asks a client device to store a cookie labeled ABC123, the server can then recognize the same client device whenever the client device reports that its cookie for that server is ABC123.
Cookies have been used very effectively to maintain a state during interaction between a server and a client device. There are, however, other situations where recognition of a particular computing device is highly desirable, but for which cookies are simply inadequate. In particular, cookies don't work when the user doesn't want her device to be recognized or when the device needs to be identified across multiple sites. For example, if a user has been banned from a social networking site for malicious activity, the user can avoid detection by way of cookies by simply deleting all of the cookies associated with the social networking site. Similarly, a different social networking site would not be able to identify the user as one who has behaved maliciously if a cookie from the first site was the only indicator of such prior activity.
What is needed is a more persistent and reliable way to identify a particular computing device through exploitation of cookies.